CVE-2026-47347: CVE-2026-47347: Open Redirect Vulnerability in TYPO3 CMS GeneralUtility::sanitizeLocalUrl

CVE-2026-47347: Open Redirect Vulnerability in TYPO3 CMS GeneralUtility::sanitizeLocalUrl

Vulnerability ID: CVE-2026-47347
CVSS Score: 5.3
Published: 2026-06-12

CVE-2026-47347 is an open redirect vulnerability affecting multiple TYPO3 CMS versions. The issue resides in GeneralUtility::sanitizeLocalUrl, where an insufficient blocklist validation implementation fails to prevent browsers from normalizing malformed relative paths into external protocol-relative redirections. Attackers can exploit this to conduct phishing, session hijacking, or credential harvesting campaigns.

TL;DR

A flaw in TYPO3's GeneralUtility::sanitizeLocalUrl allows attackers to bypass local URL verification. By passing URLs with backslashes, attackers trigger modern browser normalizations, redirecting users to external malicious domains.

---

Technical Details

• CWE ID: CWE-601
• Attack Vector: Network (AV:N)
• CVSS v4.0: 5.3 (Medium)
• EPSS Score: 0.00484
• Exploit Status: None (No Public Exploit)
• CISA KEV Status: Not Listed
• Impact: Subsequent System Integrity (SI:L)

Affected Systems

• TYPO3 CMS Core
• TYPO3 CMS: < 10.4.57 (Fixed in: 10.4.57 ELTS)
• TYPO3 CMS: 11.0.0 - 11.5.50 (Fixed in: 11.5.51 ELTS)
• TYPO3 CMS: 12.0.0 - 12.4.45 (Fixed in: 12.4.46 ELTS)
• TYPO3 CMS: 13.0.0 - 13.4.30 (Fixed in: 13.4.31 LTS)
• TYPO3 CMS: 14.0.0 - 14.3.2 (Fixed in: 14.3.3 LTS)

Code Analysis

Commit: 22c2dd5

Fix open redirect in GeneralUtility::sanitizeLocalUrl by moving to a strict RFC 3986 validation whitelist.

Commit: 3ffc083

Apply strict whitelist matching to prevent normalization bypasses in sanitizeLocalUrl.

Mitigation Strategies

• Upgrade to a patched version of TYPO3 CMS Core.
• Implement Web Application Firewall (WAF) filtering to identify and block invalid characters (such as backslashes) in redirect-associated parameter keys.

Remediation Steps:

1. Verify the current version of the TYPO3 CMS installation.
2. Obtain the appropriate security update based on the current branch (e.g., 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, or 14.3.3 LTS).
3. Apply the security update and clear TYPO3 system caches.
4. Configure WAF rules to drop traffic containing double-backslashes or non-standard control characters in query strings targeting redirection modules.

References

• TYPO3 Security Advisory TYPO3-CORE-SA-2026-009
• CVE-2026-47347 Record
• TYPO3 Core Commit 22c2dd5398ebc4cb7aa4aa37e02cb39181dee0cd
• TYPO3 Core Commit 3ffc0835012c6199db0e1dc4b56a77147d8600e0
• CWE-601 Definition
• TYPO3 Security Guide
• TYPO3 Announce Mailing List
• TYPO3 Review System Log

---

Read the full report for CVE-2026-47347 on our website for more details including interactive diagrams and full exploit analysis.